a. VMware ESXi OpenSLP Remote Code ExecutionVMware ESXi contains a double free flaw in OpenSLP’s SLPDProcessMessage() function. Exploitation of this issue may allow an unauthenticated attacker to remotely execute code on the ESXi host.VMware would like to thank Qinghao Tang of QIHU 360 for reporting this issue to us.The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-5177 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware vCenter Server contains a remotely accessible JMX RMI service that is not securely configured. An unauthenticated remote attacker who is able to connect to the service may be able to use it to execute arbitrary code on the vCenter Server. A local attacker may be able to elevate their privileges on vCenter Server.

VMware would like to thank Doug McLeod of 7 Elements Ltd and an anonymous researcher working through HP’s Zero Day Initiative for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-2342 to this issue.

CRITICAL UPDATE

VMSA-2015-0007.2 and earlier versions of this advisory documented that CVE-2015-2342 was addressed in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3. Subsequently, it was found that the fix for CVE-2015-2342 in vCenter Server 5.0 U3e, 5.1 U3b, and 5.5 U3/U3a/U3b running on Windows was incomplete and did not address the issue.

In order to address the issue on these versions of vCenter Server Windows, an additional patch must be installed. This additional patch is available from VMware Knowledge Base (KB) article 2144428. Alternatively, on vSphere 5.5 updating to vCenter Server 5.5 U3d running on Windows will remediate the issue.

In case the Windows Firewall is enabled on the system that has vCenter Server Windows installed, remote exploitation of CVE-2015-2342 is not possible. Even if the Windows Firewall is enabled, users are advised to install the additional patch in order to remove the local privilege elevation.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Replace with/ Apply Patch

VMware vCenter Server

6.0

Any

6.0.0b and above

VMware vCenter Server

5.5

Windows

(5.5 U3/U3a/U3b + KB *) or 5.5 U3d

VMware vCenter Server

5.5

Linux

5.5 U3 and above

VMware vCenter Server

5.1

Windows

(5.1 U3b + KB *) or 5.1 U3d

VMware vCenter Server

5.1

Linux

5.1 U3b

VMware vCenter Server

5.0

Windows

5.0 U3e + KB *

VMware vCenter Server

5.0

Linux

5.0 U3e

* An additional patch provided in VMware KB article 2144428 must be installed on vCenter Server Windows 5.0 U3e, 5.1 U3b, 5.5 U3, 5.5 U3a, and 5.5 U3b in order to remediate CVE-2015-2342.
This patch is not needed when updating to 5.1 U3d or 5.5 U3d, or when installing 5.1 U3d or 5.5 U3d.

c. VMware vCenter Server vpxd denial-of-service vulnerability

VMware vCenter Server does not properly sanitize long heartbeat messages. Exploitation of this issue may allow an unauthenticated attacker to create a denial-of-service condition in the vpxd service.

VMware would like to thank the Google Security Team for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-1047 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

2015-10-01 VMSA-2015-0007
Initial security advisory in conjunction with ESXi 5.0, 5.1 patches and VMware vCenter Server 5.1 u3b, 5.0 u3e on 2015-10-01.2015-10-06 VMSA-2015-0007.1
Updated security advisory in conjunction with the release of ESXi 5.5 U3a on 2015-10-06. Added a note to section 3.a to alert customers to a non-security issue in ESXi 5.5 U3 that is addressed in ESXi 5.5 U3a.2015-10-20 VMSA-2015-0007.2
Updated security advisory to reflect that CVE-2015-2342 is fixed in an earlier vCenter Server version (6.0.0b) than originally reported (6.0 U1) and that the port required to exploit the vulnerability is blocked in the appliance versions of the software (5.1 and above).2016-02-12 VMSA-2015-0007.3
Updated security advisory to add that an additional patch is required on vCenter Server 5.0 U3e, 5.1 U3b and 5.5 U3/U3a/U3b running on Windows to remediate CVE-2015-2342.